Re: [NSE] Script Dependencies Replacement for Runlevels

[David Fifield <david () bamsoftware com>]

On Fri, Nov 13, 2009 at 05:58:58PM -0600, Ron wrote:
> Patrick Donnelly wrote:
> > Right now scripts are required to assign a runlevel for their scripts
> > to enforce an ordered execution of a group of scripts during an NSE
> > scan. As an example, smb-brute.nse uses a runlevel of 0.5 so it runs
> > before other smb-* scripts. This allows the other smb-* scripts to
> > utilize the results from the smb-brute.nse script. Unfortunately, it
> > can be difficult to identify the dependencies between these scripts
> > (specified loosely via runlevels) and impossible to enforce a
> > dependency (since scripts are not aware of what other scripts are
> > running). Enforcing a dependency means that we do not run our script
> > if we are missing a dependency (or, we abort scanning altogether
> > because a dependency is missing).
> >
> > I have created a patch to NSE that replaces runlevels with a table of
> > dependencies that clearly outlines what other scripts the script
> > depends on. The table is of the form:
> >
> > dependences = {"script1", script2", ...}
> >
> > Runlevels become an internal representation of the order of scripts
> > that are generated by the dependencies. If a dependency is not present
> > in the current group of scripts then an error will be raised noting
> > the missing dependency. Alternatively, you can use the new command
> > line option --script-autoadd to automatically add dependencies to the
> > current group of scripts (this can potentially add dangerous scripts
> > and therefore is not the default).
> >
> > We also have weak dependencies that specify scripts that the script
> > should run after but are not required for its execution. Its form is
> > the same as the dependencies table above.
> >
> > The user will still see what the current runlevel is during the scan.
> > Additionally, they will now be aware of the number of runlevels:
> >
> > NSE: Script scanning 127.0.0.1.
> > NSE: Starting runlevel 1 (of 3) scan.
> > Initiating NSE at 17:38
> > Completed NSE at 17:38, 0.00s elapsed
> > NSE: Starting runlevel 2 (of 3) scan.
> > Initiating NSE at 17:38
> > Completed NSE at 17:38, 0.00s elapsed
> > NSE: Starting runlevel 3 (of 3) scan.
> > Initiating NSE at 17:38
> > Completed NSE at 17:38, 0.00s elapsed
> > NSE: Script Scanning completed.
> >
> > Another non-obvious benefit to explicit dependencies is we no longer
> > have scripts running in their own runlevel needlessly (reducing our
> > overall parallelism). Before, smb-brute would run by itself in
> > runlevel 0.5 when it could run alongside other unrelated scripts.
> >
> > With respect to backwards compatibility, there is none. We ignore any
> > runlevel specification in the script. Explicit dependencies would be
> > required.
>
> We talked about wildcard dependencies somewhere in this thread, and how
> there wasn't much of a case for using them, but I thought of something.
>
> smb-security-mode.nse prints out the user that was performing all the
> tests. To get a good reading, it should run after at least one script.
> Therefore, smb-security-mode.nse sort of has a weak dependency on smb-*.
> So there's a use case for it.
>
> Right now, I'm solving it with "runlevel = 1.01", but that's hacky.

I didn't mean "*login" is a wildcard matching script names. It just
stands for any syntax that could be used to stand for a class of
scripts. It could be [login] or $auth$ or whatever, just to indicate
that a script is capable of finding accounts that other scripts might
want to use. Your use of runlevel = 1.01 is exactly what would need a
replacement when we change to a dependency system.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/